DOI: 10.4018/IJSSSP.2018100102
Copyright©2018,IGIGlobal.CopyingordistributinginprintorelectronicformswithoutwrittenpermissionofIGIGlobalisprohibited.
A Secure MANET Routing Protocol for Crisis Situations
Martin Gilje Jaatun, SINTEF Digital, Trondheim, Norway https://orcid.org/0000-0001-7127-6694
Åsmund Ahlmann Nyre, HEMIT, Trondheim, Norway Inger Anne Tøndel, SINTEF Digital, Trondheim, Norway
ABSTRACT
Emergencyandrescueoperationsareoftencarriedoutinareaswherethenetworkinfrastructure
cannotbereliedonformessageexchangebetweenfirstresponders.Sinceafundamentalfeature
ofaMobileAdHocNetworkistheabilitytooperateindependentlyofexistinginfrastructure,itis
deemedawell-suitedsolutiontofirstrespondersscenarios.Inthisarticle,theauthorsdescribea
securityextensiontotheOLSRroutingprotocolspecificallydesignedforfirstresponderscenarios.
Theproposedprotocolprovidesnodeauthenticationandaccesscontrolusingasymmetricencryption
anddigitalcertificates,andalsooffersasecuregroupcommunicationscheme.Alinkencryption
schemeisdevisedtoallowforefficientencryptionofdataeveninbroadcastmode,withouttheneed
foranetwork-widesharedkey.Byutilisingpairwisesymmetrickeysforlinkconfidentiality,the
authors’solutionisbothefficientandscalable.
KEywoRdS
Admission Control, First Responders, MANET, OLSR, Security
1. INTRodUCTIoN
Emergencyandrescueoperationsareoftencarriedoutinareaswherethenetworkinfrastructure
cannotbereliedonformessageexchangebetweenfirstresponders.Althoughonemayarguethat
somenetworkinfrastructure(e.g.GSM/GPRS/UMTS,Wi-Fi,WiMax,satellite,etc.)existsineven
themostdesertedplaces,thecauseoftheemergencyoperation(e.g.fire,hurricane,explosion,etc.)
mayalsoaffecttheinfrastructure.Furthermore,ruralinfrastructuremaynothavebeendimensioned
forthenetworkloadimposedbyalarge-scaleemergencyoperation.Sinceafundamentalfeature
ofaMobileAdHocNetworkistheabilitytooperateindependentlyofexistinginfrastructure,itis
deemedawell-suitedsolutiontofirstresponderscenarios.
Thenatureofemergencyandrescueoperationsimplythatprovidinginformationsecurityis
aprerequisiteforMANETstobeusedinsuchsituations(Meissner,Luckenbach,Risse,Kirste,&
Kirchner,2002,Dearlove,2004).Unlikethegeneral-purposeMANET,afirstresponderMANET
mustrestrictaccesstothenetworksuchthatvaluableresources(e.g.bandwidth,batterylifetime,
processingpower,etc.)arenotwastedonactivitiesnotrelatedtotheoperation.Accesscontrolalso
enablesnodeauthenticationandconfidentialityofinformationbyonlyallowingauthorisednodes
tosendandreceiveinformation.Withlimitedresourcesandagreatemphasisonavailabilityitis
equallyimportantthatsecuritymechanismsdonotsubstantiallyaffecttheoverallperformanceand
throughputofthenetwork.
Ourmaincontributioninthispaperisthedesignandspecificationofanewsecurityextensionto
theOptimisedLinkStateRouting(OLSR)protocolspecificallytailoredtofirstresponderscenarios.
Ourprotocolextensionutilisesdigitalcertificatesandasymmetricencryptionfornodeauthentication
andsymmetrickeyestablishment.Wealsospecifyanewcertificateextensiontoallowfordistributed
accesscontrolbasedonauthorisednodedescriptions.Toefficientlyprovideconfidentiality,our
protocolextensionalsoincludesalinkencryptionschemeutilisingdynamicallyestablishedsymmetric
keysbetweenneighbouringnodes.Bylimitingtheuseofasymmetricencryption,ourprotocol
extensionisefficient.
Thearticleisstructuredasfollows:Westartbygivinganoverviewofrelevantstateofthearton
MANETsecurity(Section2).WethenoutlinerelevantsecurityrequirementsinSection3.Nextwe
presentanoverviewofourproposedprotocolextensioninSection4,beforewedetailoursolution
inSection5.Finally,wediscussourcontribution(Section9)beforeconcludingandoutliningfurther
workinSection10.
2. BACKGRoUNd ANd STATE oF THE ART
InthissectionwewillpresentsomeexistingMANETroutingprotocols(thattypicallydonotoffer
anysecurity),thenpresentexistingattemptstoprovidesecureroutinginMANETs.Wewillalso
sayafewwordsonintrusiondetectioninMANETs,andclosethesectionbyrelatingwhatwehave
describedtoMANETsusedincrisissituations.
2.1. Routing Protocols
AttemptstosecureroutinginMANETshavemostlybeendonebyspecifyingextensionstothe
originalunsecuredroutingprotocols.Wethereforewillinthefollowinggiveanoverviewofthe
mainclassificationofMANETroutingprotocols,beforewebrieflyoutlinethemaincharacteristics
ofthreeconcreteexamples.
MANETroutingprotocolsperformroutediscoveryeitherproactivelyorreactively.Proactive
routediscoveryprotocolsutilizebeaconmessages,i.e.messagesthataretransmittedperiodically,
toinformothernodesofcurrentroutesinthenetwork.Thus,wheneveranodeneedsaroutetoa
destination,itisalreadyavailable,andnoadditionaldelayisintroduced.Theproblemwiththis
approachisthatcontroldataoverheadmaybesignificantduetotheperiodicfloodingofrouting
information,particularlyfordensenetworksandnetworkswithfewtransmissions.Routingtablesmay
bequicklyoutdatedforhighmobilitynetworks.MANETprotocolsbasedonreactiveroutediscovery
donotutilizeanyperiodicdisseminationofroutinginformation,butinsteadfloodthenetworkfora
routetoadestinationwheneverthisisneededbythenode.Thus,thereisnocontroldataoverhead
aslongasthenetworkisidle,andconsequentlytheriskofcongestingthenetworkwithsuchcontrol
dataisreduced.However,ifalinkinanestablishedroutebreaks,theentireroutediscoveryprocess
mustbere-initiated,whichmaycauseasignificantdelayinpacketdelivery.Innetworkswithlittle
nodemovement,thiswillrarelyhappen,andhencetheoverheadisgreatlyreducedcomparedtothe
proactiveapproach.Thereareseveralfactorsthatneedtobeconsideredtodeterminewhichofthe
twoapproachesarebetter,includingnodemovement,networkdensity,areasize(averagehop-count),
bandwidth,networkload,etc.
TheDestinationSourceRouting(DSR)protocol(Johnson,Hu,&Maltz,2007,Johnson&Maltz,
1996)isareactiveprotocolwheretheentireroutetothedestinationislistedineachpacket.Route
discoveryisdonethroughbroadcastingrouterequestmessagescontainingthedestinationaddress.The
requestispropagatedthroughthenetworkwithallintermediatenodesaddingtheiraddresstotheroute
storedinthepacket,untileitherthedestinationoranodewitharoutetothedestinationisreached.A
routereplyisthensenteitherusingthereversepathoftherequest,orpreferablypiggybackedonanew
routerequesttotheinitialsender.Piggybackingisconsideredbettersincelinksmaybeasymmetric
andhencethereversedroutemaynotbevalid.Routemaintenanceisperformedeitheractively
throughthereceptionoflink-layeracknowledgementsorpassivelythroughdetectingthereceiving
node’sretransmissioninpromiscuousmode.Detectedlinkerrors,i.e.missingacknowledgements,
resultinthetransmissionofalinkerrormessagetothesender.Similartoroutereply,thismayeither
bedonethroughthereversepathofthecurrentrouteorpreferablypiggybackedonarouterequestto
thesender.Toimproveefficiency,DSRalsoallowsnodestoutilizepromiscuousmodetodiscover
routesanderrorshandledbyadjacentnodes.
Adhocon-demanddistancevectorrouting(AODV)(Perkins&Royer,1999,Perkins,Belding- Royer,&Das,2003),isareactiveprotocolsimilartoDSR.AODVhoweverdoesnotcarrytheentire
pathinthepacketheader,insteadeachintermediatenodeindependentlycomputestheoptimalnext- hopforthegivendestination.Routediscoveryisperformedbyfloodingrouterequests(RREQ)inthe
networktoreacheitherthedestinationoranintermediatenodewithavalidroutetothedestination.The
next-hopinthereversepath,i.e.thenodefromwhichtheRREQwasreceived,isrecordedbyevery
intermediatenode.Uponreachingthedestination(oranothernodewithavalidroute)aroutereply
(RREP)messageisunicastbackalongthetherecordedreversepath.Intermediatenodesreceivinga
RREPrecordtheforwardpath,i.e.thenodefromwhichtheRREPwasreceived.Timersareassociated
withtheroutingtableentriessuchthatinvalidorunusedroutesareremovedafterapredefinedperiod
oftime.AODVissaidtobe“apureon-demandrouteacquisitionsystem”(Perkins&Royer,1999),
meaningthatunlessnodeslieonanactivepath(i.e.route),theydonothavetomaintainoradvertise
anyroutinginformation.
TheOptimizedLinkStateRouting(OLSR)protocol(Jacquetetal.,2001,Clausen&Jacquet,
2003)isaproactiveprotocolthatactivelymaintainsroutestoalldestinationsinthenetworkby
periodicallytransmittingcontrolinformation.LocallinksensingisachievedbybroadcastingHELLO
messagescontainingeveryone-hoplinkknowntothenode.Thereceiveristhenabletocomputeits
two-hopneighbourset,whichinturnallowsittocreateaMulti-PointRelay(MPR)set.TheMPR
setisformedsuchthatitincludestheleastnumberofone-hopneighbourssuchthateverytwo-hop
neighbourcanbereached.TheprotocolspecifiesthatonlyneighboursbelongingtotheMPRsetare
allowedtoforwardcontrolmessagesonbehalfofanode.Thus,thecostoffloodingcontrolpackets
inthenetworkisconsiderablyreduced.Topologyinformationbeyondthetwo-hopneighboursalready
knownusingHELLOmessages,isdistributedusingTopologyChange(TC)messages.Everynode
maintainsaMPRSelectorssetcontainingallnodesthathaveselecteditasMPR.Everynodewitha
non-emptyMPRSelectorssetmustperiodicallyfloodthenetwork(usingMPR)withTCmessages
containingatleasteverynodeintheMPRSelectorsset.OnemayextendtheTCmessagestoinclude
additionalnodesandalsocreatesuboptimalMPRsets,howeveratthecostofincreasedoverheadand
consequentlyreducedperformance.
2.2. Secure MANET Routing
Ariadne(Hu,Perrig,&Johnson,2005)isasecureon-demandroutingprotocolbasedonDSR.It
providesthreewaysofauthenticatingroutingmessages;usingpairwisesharedsecretkeys,using
pairwisesharedsecretkeyscombinedwithbroadcastauthenticationorusingdigitalsignatures.If
sharedkeysordigitalsignaturesareusedthentheroutingmessageisauthenticatedbyappending
aMessageAuthenticationCode(MAC)ordigitalsignatureforeachintermediatenode.The
protocolalsoproposestheuseoftheTimedEfficientStreamLoss-tolerantAuthentication(TESLA)
broadcastauthenticationmechanism(Perrig,Canetti,Tygar,&Song,2002)forintermediatehop
authenticationandsharedsecretforendpointauthentication.TheTESLAmechanismutilizes
reversedhashchainsanddelayedkeydisclosuretoprovideauthenticationofroutingmessages.The
protocolrequireslooselysynchronisedclocksandadelayofatleastthenetworkround-triptime
toguaranteethatthemessagehasbeenreceivedbyallnodesbeforethekeyisdisclosed.Ariadne
providesbothintegrityandauthenticationofroutinginformation,howevernon-repudiationcanonly
beguaranteedwhenusingdigitalsignatures,sinceMACscanalsobecalculatedbytherecipient,
andareimpossibleforotherstoverify.
TheSecureRoutingProtocol(SRP)(Papadimitratos&Haas,2002)isdesignedasanextension
toDSRortheinterzonepartoftheZoneRoutingProtocol(ZRP)(Haas,1997).Theprotocolrelies
solelyonsymmetrickeycryptographyforauthenticatedroutediscovery,assumingthatshared
secretkeyshavealreadybeenestablishedbetweenthesourceanddestinationnodes.AMACbased
onthesharedkeyisappendedtorouterequestsinordertoallowthedestinationtoauthenticatethe
originator.However,intermediatenodesandtherecordedroutearenotauthenticated.Additionally,
routeerrormessagesdonotcontainanyverificationandhencecanbeforgedbyadversaries.The
protocolprovidesauthenticationandintegrity,butintroducessomeseriousissuesfortheavailability.
TheSecureAODVroutingprotocol(SAODV)(Zapata&Asokan,2002)utilizeshashchainsfor
authenticatingmutabledatainrouterequestmessages.However,fornon-mutabledatatheprotocol
usesonlydigitalsignatures.Anoderequestingaroutetoadestinationgeneratesarandomseedfor
thehashchainandcomputesthemaximumhashchainvaluebyrepeatedhashingoftheseeduntil
reachingthemaximumhopcount.Thesignatureonallfieldsbuttheseedandhopcountisappended
tothemessage.Intermediatenodesverifythesignatureandthatthemaximumhashchainvalueis
reachedafterhashingthereceivedseed(max_hop_count-hop_count)times.Ifverificationholds,
thehopcountissteppedandtheseedisupdatedbyhashingit.Inordertoallowintermediatenodes
torespondwithaRREPwheneveritholdsavalidrouteinitsroutecache,thedoublesignature
schemeisproposed.Routeerrormessagesdonotusethehashchainmechanism,butareinstead
digitallysigned.Sinceitisnotconsideredrelevantwhichnodeinitiallystartedtheerrormessage,
thesignatureisreplacedforeachhop,ratherthanappended.Theprotocolprovidesauthentication
forendnodes,butnotforintermediate,allowingadversariesonthepathtoforgetheiridentity.The
hashchainmechanismguaranteesthatmaliciousnodescannotreducethehopcountvalue,butmay
increaseitoromitupdatingit.
AuthenticatedRoutingforAdhocNetworks(ARAN)(Sanzgirietal.,2005)isasignature- basedextensiontotheAODVroutingprotocol,providingsecureroutediscovery.Routerequests
aresignedbytheoriginatoroftherequestandpropagatedthroughoutthenetwork.Intermediate
nodeswill,uponreceivingtherequest,verifythesignatureandthesequencenumberbeforeadding
theirsignatureandforwardingittotheirneighbours.Thedestinationvalidatesallsignaturesand
createsasignedroutereplymessageincludingthesequencenumberandsourceoftherequest.
Thereplyissentbacktothesourcealongthereversepathoftherequest,whereintermediate
nodesverifyandsignitinthesamemannerastherequest.Linkfailuresaredetectedandreported
usingroutingerrormessages,whicharesignedbythereportingentityandpropagatedthroughthe
network.Nointermediatenodesignstheerrormessage.Theproof-of-conceptimplementationand
subsequenttestingindicatesthattheprotocolincreasesthedelayforroutesetupbyseveralorders
ofmagnitude.Thetestsdoneontheprotocolshowthatevenwithfairlypowerfullaptops,the
ARANprotocolusing1024bitsRSAkeysareapproximately23timesslowerthantheunsecured
AODVprotocol(Sanzgirietal.,2005).
TheSecureLinkStateProtocol(Papadimitratos&Haas,2003)isasecureproactiverouting
protocolemployingasimilarstrategyasSAODVformessageauthentication.LinkStateUpdates
(LSUs)aredigitallysignedbytheoriginatingnode,withallmutablefieldsexcluded.Themutable
fieldsareinsteadgovernedbyahashchain,whichdoesnotallowreductioninthehopcount.
Byspecifyingamaximumhopcount,theprotocolcanbeusedastheintrazonepartofZRP
(Haas,1997)Onlyend-nodesareauthenticated,suchthatintermediatenodesmayspooftheir
identitywithoutbeingrevealed.
TheSecureTransmissionProtocol(STP)(Papadimitratos&Haas,2006)utilisessymmetrickey
encryptionforreliableendtoendauthenticationofdatatransmission.Messagesaresplitupand
sentondisjointroutes,andmissingpacketsresultinresendingandupdatedroutinginformation.
Symmetrickeysareassumedtobeestablishedinadvance.Aspairwisesharedsecretsdonotscale
well,Puzaretal.(Pužar,Plagemann,&Roudier,2008)suggestasolutionwhereeverynodeinthe
networksharesthesamekey.Mechanismsaredefinedthatresultinperiodickeychanges,butduring
keyre-selectionthenetworkisinaninconsistentstateunabletoroutemessages.
2.3. Intrusion detection
Giventhelackofnetworkperimetersandtheopencollaborativenatureofmobileadhocnetworksit
ishardtodefinewhatactuallyconstitutesanetworkintrusion.Commonly,intrusionsareviewedas
maliciousbehaviouraimedatdisruptingordegradingnetworkperformance.
TheWATCHERSprotocol(Bradley,Cheung,Puketza,Mukherjee,&Olsson,1998)wasproposed
toenabledetectionofdisruptivenodesinthenetwork.Theideaistouseconservationofflow,i.e.
whatcomesinmustcomeout,todetectmisbehavingnodes.Everynodemonitorsitsneighboursand
measurestheamountofdroppedpackets,misroutedpackets,etc,bylisteningtothecommunication
ofadjacentnodesandcomparingreceivedpackagestothetransmittedones.Ifmetricsexceeda
predefinedthreshold,thecorrespondingnodeisconsideredmaliciousandthelinktoitdropped.The
protocolhasbeencriticisedforitsassumptionsonthereliabilityofwirelesscommunication(Hughes,
Aura,&Bishop,2000),sincetherearenumerousvalidreasonsfordroppingapacket.
AsimilardetectionandpreventionschemewereproposedbyMartietal.(Marti,Giuli,Lai,&
Baker,2000)whereawatchdogisusedtodetectmisbehavingnodesandapathraterisusedtocompute
pathsavoidingthedetectednodes.DesignedfortheDSRprotocol,thewatchdogmechanismutilizes
promiscuousmodeandknowledgeofthepathtothedestinationtoassertwhethertheneighbour
nodeactuallyforwardspacketsasexpected.Acounterisincreasedwheneveraroutingmisbehaviour
isdetected,ultimatelyblockingthenodeifthecounterreachesapredefinedthreshold.Unlikethe
WATCHERSprotocol,watchdogandpathraterareprotocolspecificsoasnottorelysolelyonthe
conservationofflowasadetectionmechanism.
TheCOllaborativeREputationmechanism(CORE)(Michiardi&Molva,2002)liketheprevious
protocolsalsoutilizesawatchdogmechanismandadditionallyincludesareputationsystem.The
reputationsystemspecifiesthreedifferenttypesofreputation;subjective,indirectandfunctional.
Subjectivereputationisbasedondirectobservationthroughthewatchdogmechanismoperatingin
promiscuousmode.Indirectreputationisbasedonreceivedreputationmetricsfromothernodes,while
functionalreputationindicatesthereputationforaparticularfunctionality(e.g.packetforwarding).
Topreventdenial-of-serviceattacksbymaliciousbroadcastingofnegativeratingsforbenignnodes,
indirectreputationmayonlytakepositivevalues.Unlikethewatchdog/pathraterapproachdescribed
above,COREdoesnotexcludemaliciousnodesfromroutes,butratherencouragescooperationin
ordertoreceivenetworkservices.
TheDSRprotocolextensionCONFIDANT(CooperationOfNodes:FairnessInDynamicAd-hoc
NeTworks)(Buchegger&Boudec,2002)consistsofamonitor,atrustmanager,areputationsystem
andapathmanager.Themonitorissimilartothewatchdogmechanismandperformslocaldetection
ofmisbehaviour.ThetrustmanagerisresponsiblefordistributingALARMmessagesregarding
maliciousbehaviourtonodesbelongingtoafriendslist.Italsocomputestrustlevelsofreceived
informationsuchthatweightingmaybeemployedforratingchanges.Thereputationsystemprovides
aqualityratingofparticipatingnodes,basedonlocalandreceivedinformation.Sufficientevidence
mustbegatheredbeforeadecisionismadeanditmusthavebeengatheredoveralongenoughtime
toruleoutcoincidence.Thepathmanagerisresponsibleforratingtheactivepathsinthenetwork
andtoreacttopathscontainingmaliciousnodes(e.g.deletethepath).
CONFIDANTissimilartothewatchdog/pathraterapproach,butadditionallycreatesincentives
forcorrectbehaviourofnodesbyrefrainingfromforwardingpacketsonbehalfofmisbehavingnodes.
TheCONFIDANTprotocolproposestheuseofatrustmanagertoshareitsratingswiththeother
nodesinthenetwork.Routeselectionisdoneaccordingtoatrustmetricsuchthatthemosttrusted
pathisselected.Ifthereismorethanonepathwithhighesttrustrating,theshortestisselected.
ThestrategybyWangetal.(Wang,Lamont,Mason,&Gorlatova,2005)istouseprotocolspecific
propertiesforsanitycheckingroutingupdates.FortheOLSRprotocol,theuseofmulti-pointrelays
(MPRs)allowssomecheckingoftheoriginatingnode.Forexample;IfnodeAadvertisesalinkto
nodeB,thennodeAmustbeanMPRofnodeB.Thus,nodeBcanperformasanitycheckofthe
receivedinformationbycomparingtheoriginatortoitssetofMPRs.Wangetal.(Wangetal.,2005)
furtherproposeforBtobroadcast(throughitsMPRs)amessagetoinvalidatetheadvertisedlink,
sothatothernodeswillrefrainfromusingit.Thereareseveralsuchpropertiesthatmaybeusedto
verifythecorrectnessoftheadvertisedinformation.Thearticledoesnotdiscussotherreasonsfor
suchincoherence,suchaslatencyinTCupdates,linkfailures,etc,norwhatactionsshouldbetaken
uponreceivinganinvalidationofalink.Labellingtheoriginatorasmaliciouswouldintroducethe
possibilityformaliciousnodestoemitinvalidationsrandomlytoitsMPRnodesandtherebyconvince
thenetworkthatthebenignnodeismalicious.Ifthecheckwasperformedbyanyadjacentnode
toB(i.e.inB’sHELLOset)oranyofB’sMPRs,amajorityvotecouldbeusedtoguaranteethe
correctnessoftheinvalidation.
Otroketal.proposeadifferentstrategyforintrusiondetectionthatgreatlyreducespower
consumptionofparticipatingnodes(Otrok,Mohammed,Wang,Debbabi,&Bhattacharya,2008).
Theideaistoletnodesinaclusterelectonesinglenodetoperformintrusiondetectiononbehalfof
theothersinacollaborativegame,maximisingthesecurityforthenetworkasawhole.Inorderto
mitigatetheriskofhavingamisbehavingnodeperformingtheintrusiondetectionasetofcheckers
aresimultaneouslyelectedtoverifycorrectbehaviour.Bysamplingthecommunication,thecheckers
collaborativelydecidethroughmajorityvotewhethertheelectednodeismisbehaving.Forthis
approachtobevalid,atleasthalfofthecheckersmustbebenigninordertoguaranteethatnobenign
nodeisblockedfromthenetwork.Althoughtheapproachisfavourableintermsofenergyconsumption,
networksofhighlymobilenodesmayforceconstantre-electionsofbothintrusiondetectionnodes
andcheckers.Whileobviouslydegradingperformanceandthroughputofthenetwork,thismayalso
hamperdetectionofmisbehavingnodesasitisimpossibletogathersufficientinformationformaking
adecisionbeforeare-electionisdone.
Anotherapproachtoreducedenergyconsumptionisforeachnodetoonlyhaveitsintrusion
detectionmechanismrunningaportionofthetime,assuggestedbyMarchangandTripathi(Marchang
&Tripathi,2007).Theydevelopagametheoreticapproachtomodelhowthedefenderandattacker
choosethepercentageofthetimethedefenceandattackwillberunning,respectively.Byassuming
differentdetectionrates,thegameissimulatedtoshowtheimpactofreducedmonitoring.
2.4. Relating State-of-the-Art to Crisis Situations
Intheprevioussectionswehavegivenanoverviewofpreventiveandreactivesecuritymechanisms
tailoredforuseinMANETs.Thenextstepwouldbetoidentifythemissingparts(ifany),inorder
toprovidesecureMANETs,andthusweneedtomapeachoftheprotocolstowhethertheyprovide
authentication,confidentiality,integrity,authenticationandnon-repudiation.
Forreactiveprotocolsaimedatdetectingmisbehavingnodes,thereistypicallynocryptographic
supportthatenablesconfidentiality,authenticationandnon-repudiation.Integritycouldbesupported
byobservingneighbours’retransmissions,howeverthekeypropertyofsuchprotocolsisavailability.
Bydetectingandreactinguponmisbehavingnodestheprobabilityofcorrectfunctioningofthe
networkisimproved.Thus,whenidentifyingwhethertheprotocolsmeetsthesecuritygoals,we
haveonlyincludedthepreventiveprotocols.Table1summarizeshowthevariousprotocolsmeet
thesecuritygoals.Notethattheavailabilitypropertyisconsideredsatisfiediftheprotocolimproves
denial-of-serviceresistanceanddoesnotimplythatitwillresistallattacks.Also,thenon-repudiation
propertyisnotconsideredsatisfiedwhenusinghash-chainsorsymmetrickeyMACsformessage
authentication.Hashchainsonlyprovidetemporalevidence,sinceafterkeydisclosureanyonecan
createauthenticmessages.MACsontheotherhandarenotverifiabletoanyonebuttheentitiesthat
sharethesecretkey,anddonotprovideevidenceastowhichoftheseentitiesinitiatedthemessage.
Whatisperhapsmostnoteworthyisthefactthatnoneoftheprotocolsprovideanyconfidentiality
ofroutinginformation.ForgeneralpurposeMANETswithfreeaccess,confidentialitymayseem
unnecessary.However,forclosednetworkssuchasmilitary,rescueorcrisismanagementMANETs,
itmaybevitalthatoutsiderscannotidentifynetworkparticipantsandalsoareunabletobuilda
networkmap.Thus,forsuchapplicationsofMANETs,thereshouldbeaprotocoltoprovidethis.
NotealsothatallprotocolseitherrelyonanestablishedMANET-widePKIorpairwisesharedsecret
keys.Althoughthereexistnumerouskeymanagementandkeysharingschemes(Zhou&Haas,1999,
Ramkumar&Memon,2005;Saxena,Tsudik,&Yi,2007),thisisnottriviallyachieved,especially
foropencommercialapplicationsareassuchasaconferencevenue.
Becauseoftheproblemswithnetworkwidekeys,wedonotbelievetheapproachbyPuzaret
al.(Pužaretal.,2008)tobethebestsolutionforMANETs.StillPuzaretal.specificallyaddress
emergencyandrescueoperations,andmanyoftheirideasfitwellwithinthissetting;theyrelyonpre- existingcertificatestobeinplace,allcertificatesaresignedbythesameCA,andtheyputrestrictions
onwhichnodesareauthorisedtoinfluencerouting.
Thereareofcourseothernon-securitypropertiestoconsidersuchasdataandprocessingoverhead,
batteryconsumption,delay,etc.,whichinfluencethechoiceofsecuritymechanism.Forinstance,
theextensiveuseofdigitalsignaturesintheARANprotocolensuresahigherlevelofsecurity(e.g.
secureauthenticationofintermediatenodes)atthecostofaddedprocessinganddataoverheadfor
eachhop.Thus,theoptimalprotocolisnotnecessarilytheoneprovidingtheoptimalsecurity.
Aswithconventionalintrusiondetectionsystems,detectingmisbehavingnodesinMANETs
maybeerroneous,whichinturnmayhavedevastatingeffectsontheNetwork.Sinceavailabilityis
theprimarygoalofsuchsystems,labelingabenignnodeasmaliciouswouldineffectconstitutea
denial-of-serviceattackbytheprotocol.Similarlyifmaliciousnodesareundetected,theavailability
oftheentirenetworkwouldbethreatened.
TheprotocolsandmechanismsoutlinedinSection2.3alluseanomaly-baseddetection,where
deviationsfromcorrectprotocolbehaviourareconsideredmalicious.Additionally,allprotocolsrely
onobtaininginformationbypromiscuouslyoverhearingneighbourtransmissions.Aproblemhere
isthepossibilityofanodehavingtwoneighbours(thatarenotthemselvesneighbours)transmitting
simultaneously,causingacollisiononlyforthenodeoperatinginpromiscuousmode.Suchsituations
andalsotheunreliabilityofthewirelessmediummakesitverydifficulttoperformaccuratedetection.
3. REQUIREMENTS
Mostexistingworkonsecurityinadhocnetworkshandlessecurityrequirementsonlysuperficially.
Themostrelevantworkthatweareawareofisastudyofknownproblemswithexistingrouting
Table 1. Comparison of proposed secure MANET protocols
Protocol Availability Confidentiality Integrity Authentication Non-
Repudation Assumptions
Ariadne Yes No Yes Yes No EstablishedPKIorshared
secretkeys
SRP Yes No Yes Yes No Establishedsharedsecretkeys
SAODV Yes No Yes Yes Yes EstablishedPKI
ARAN Yes No Yes Yes Yes EstablishedPKI
SLSP Yes No Yes Yes Yes EstablishedPKI
protocolsforadhocnetworks,aspresentedbyDahilletal.(Dahill,Levine,Royer,&Shields,
2001)andSanzgirietal.(Sanzgiri,Dahill,Levine,Shields,&Belding-Royer,2002).Thisstudy
ledtosevensecurityrequirements,coveringspoofingofroutesignalling,fabricationandalteringof
routingmessages,maliciousformationofroutingloops,routeredirectionfromshortestpath,which
nodesshouldbepartofroutecomputationanddiscovery,andexposureofnetworktopology.Adhoc
networksaredividedintothreecategories,eachrequiringadifferentlevelofsecurity.Emergency
andresponseindisasterareasisconsideredpartofthemanaged-hostileenvironmentsgroup,which
shouldmeetalltheidentifiedrequirements.
Alessdetailedlistofsecurityrequirementsonroutingprotocolsofadhocnetworksis
providedbyZapataandAsokan(Zapata&Asokan,2002).Theyareconcernedwithrouting
updates,andstatetheimportanceofimportauthorisation,sourceauthenticationandintegrityof
routinginformation.Dataauthenticationissaidtobecoveredbythecombinationoftheabove.
Compromisednodesarenotconsidered,astheybelievethisonlytoberelevantformilitary
scenarios.Availabilityisalsonotcoveredastheyfinditunfeasibletopreventdenialofservice
(DoS)attackswhenusingwirelesstechnology.
Wrona(Wrona,2002)takesadifferentapproach,andstatesthatadhocnetworksingeneralhave
thesamesecurityrequirementsasothercommunicationsystems.Adhocnetworksarehoweverextreme
intherequirementsonthesophisticationandefficiencyofthesecuritymechanismsthemselves,mainly
becauseofthelackofinfrastructureandtheverydynamicandephemeralcharacterofrelationships
betweennetworknodes.However,Wronadoesnotprovidemoredetailsonthesecurityrequirements.
3.1. Elicitation Method
Tøndeletal.(Tøndel,Jaatun,&Meland,2008)giveanoverviewofexistingapproachestosecurity
requirementselicitation,andidentifythemostcommonlyrecommendedsteps.Afour-stepapproach
isthenproposed:1)Identifysecurityobjectives,2)Assetidentification,3)Threatanalysis,and4)
Documentationofsecurityrequirements.Objectivesaredefinedas“thehigh-levelrequirementsor
goalsthataremostimportanttocustomers,andtherequirementsthatmustbemettocomplywith
relevantlegislation,policies,andstandards”(Tøndeletal.,2008).Assetsareimportantas“security
requirementsareprimarilyneededinordertoprotectourassets,andthiswillobviouslybeimpossible
todoproperlyunlessweknowwhattheseassetsare”(Jaatun&Tøndel,2008).Duringthreatanalysis
likelyattacksagainstthemostimportantassetsarestudied.
Inthisworktherequirementselicitationprocesswasperformedbytheauthors,whocan
besaidtobenetworksecurityexperts.Aswedidnothaveaccesstocustomers,objectives
wereidentifiedbasedonpreviousworkinOASISandbasedonreadingmaterialonadhoc
networksforemergencyandrescueoperations.Assetswereidentifiedinaworkshopusing
theapproachdescribedbyJaatunanTøndel(Jaatun&Tøndel,2008).Thisapproachisbased
onbrainstorming,somethingthatmayseemabittoounstructuredatfirstglance.Available
publicationsonassetidentificationhowevershowthatbrainstormingtechniquesandsimilar
areusedinseveralapproaches-withfewproblemsexperienced(Caralli,Stevens,Young,&
Wilson,2007,Jaatun&Tøndel,2008).
Intheworkshopassetswereprioritisedbyconsideringtheimportanceoftheconfidentiality,
integrityandavailabilityofeachassetfromtheviewpointofsystemusers,ownersandattackers.
Byincludingdifferentviewpointswewereabletohandlethefactthatdifferentactor’sviewofan
assetarenotdirectlyrelated(Haley,Laney,Moffett,&Nuseibeh,2008).Hencemostfocusisgiven
toassetsthatareimportantforattackersaswellassystemownersand/orsystemusers.Inorderto
keepthemethodaslightweightaspossibleweonlyusedfourclassesofprioritiesforourassets:
high,medium,lowandirrelevant.Thetotalvalueofe.g.theconfidentialityofanassetisthenthe
sumofitsvaluefromthedifferentviewpoints.Thisisofcourseasimplification,butstillprovides
aneasyandpowerfulwayoffindingwhichassets(ormorecorrectly,whichpropertiesoftheassets)
areimportantinthesystem.
Basedontheresultofassetidentification,westudiedthethreatstowardsthemostimportant
assets.ForthethreatmodellingweusedattacktreesasdefinedbySchneier(Schneier,1999),ashis
threatmodellingmethodiswellrecognisedandfitsourapproachwell.Aselectionoftheidentified
attacksispresentedinTable2.Mostattacktreeswerecreatedinaworkshop,therestwascreated
byoneexpertandcheckedbytheothersatalaterpointintime.Attheendoneexpertidentifiedand
documentedsecurityrequirementsbygoingthroughthesecurityobjectives,assetsandattacktrees.
Therequirementswerelatercheckedbytheotherexperts.
3.2. objectives
TheidentifiedsecurityobjectivesarelistedinTable3.Asabasisforidentifyingtheseobjectiveswe
describedwhatwillbethetypicalusageoftheOASISadhocnetworkandthemainsecurityissues
asweseeit.
Table 2. Examples of identified attacks
Attack Tree Main Attacks Identified
A1 Getaccesstoanduseanexistingnode Accessnode,eitherphysicallyorexternally,andeithergetaccesstovalidaccess
credentialsorbypassaccesscontrol.
A3 Getaccesstosensitiveinformation Getaccesstocommunicationthrougheavesdroppingorrouting,andbreakany
encryption.Getaccesstosensitiveinformationonanode.
A4 Getaccesstoaccesscredentials Getaccesstocommunicationornodesthatcontainaccesscredentialsandbreakany
protection.Findcredentials.Guesscredentials.Performsocialengineeringattack.
A7 Destroyintegrityofinformation Flipbitsincommunication.Destroyintegrityofpacketsduringrouting.Destroy
integrityofinformationstoredonnodes.
Table 3. Security objectives
Nr. Objective
O1 Confidentiality:Forsomeinformationconfidentialitywillberequiredbylaw,e.g.medicalinformation.
Mechanismsmustthusbeinplacethatisabletoofferadequateprotectionofconfidentiality.
O2 Availabilityvs.confidentiality:AstheOASISadhocnetworkisintendedusedincrisissituations,availabilityis
inmany,ifnotmost,casesmoreimportantthanconfidentiality.
O3 Integrity:Asthereareattackersthatmaywanttoattacktheintegrityofinformationinordertohamperthe
operation,integrityshouldbeensured.
O4 Participationandcollaboration:Personnelfromdifferentorganisationsandregionsmustbeallowedto
participateandcollaboratewithoutcompromisingthesecurityofthenetwork.
O5 Accesscontrol:Thereisnointentionofletting“justanyone”connecttothenetworkandstartinteractingwith
it.Thisisadifferencebetweenafirstrespondernetworkandthe“academicideal”adhocnetwork.
O6 Userhierarchy:Securitysolutionsshouldsupportthehierarchicalnatureofemergencyoperations.
O7 Dynamicsofresponsibility:Securitysolutionsshouldsupportdynamicsinresponsibilityandauthority.
O8 Limitednoderesources:DevicestypicallyusedfortheOASISadhocnetworkwillhavelimitedcomputational
powerandbatteryavailable.Thesecuritysolutionsmusttakethisintoaccount.
O9 Limitedbandwidth:Thebandwidthavailablewilltypicallybelimited,andthismustbetakenintoaccountwhen
choosingandimplementingsecuritysolutions.
O10 Usability:Securitysolutionsmustnotrenderthesystemtoodifficultortroublesometouse.
O11 Notdependentoncentralnodes:Theadhocnetworkshouldfunctionwithoutanycentralnodes.
The current predominant communication paradigm for first responders is voice
communicationoverradionetworks(e.g.TETRA).MANETSwillenabledistributionof
richcontentinuni-,multi-orbroadcastmode.Inadditiontousernodes,weenvisagea
commandpostthatisoperatedfromaspecialisedvehicleandpossessgreatercomputing
resources.Insituationswhereexternalcommunicationinfrastructureisavailable,boththe
command post and first responders may connect to external resources (health networks,
policenetworks,etc.).
ManyofthechallengesofsecuringMANETsingeneral(Wu,Chen,Wu,&Cardei,2007)
alsoapplytoMANETsforfirstresponders.However,communicationpatterns,mediadiversity,
organisationalstructureandlegislativeissuesconstitutebothchallengesandopportunitiesforfirst
respondersMANETs.WhileMANETsinthegeneralcaseshouldallowanyonetoparticipate,
thesituationisquitethecontraryforfirstresponders.Firstrespondersrequireanaccesscontrol
thatpreventsnodesfromwastingtheirresources(energy,processingpower,bandwidth,etc.)on
informationthatisnotrelevantforthemission.Whilethisnormallyrequirespre-configuration,
themechanismshouldbeflexibleenoughtoallowtemporaryaccesstonodesthathavenotbeen
pre-configured.Thiswillallowfirstresponderstodynamicallyincludevolunteers,experts,etc.,
intheoperationastheyseefit.
WehaveidentifiedtwomaintypesofattackersposingathreattofirstresponderMANETs:news
mediaandterrorists.Newsmediaisprimarilyinterestedinobtaininginformationonthetactical
operationbylaunchingpassiveattacks.Informationisassumedtobemostvaluableinreal-time,
butremainsinterestingforcriticsintheevaluationprocess.Terroristsareinterestedinobstructing
thenetworkoperationsbylaunchingactiveattackstodisruptrouting,forgecommunication,thwart
legitimateaccess,etc.Itispossiblethataphysicalterroristattack(e.g.,explosion,fire,etc.)isextended
byafollow-upattackonthefirstresponderemergencyoperationnetwork.
Organisationsinvolvedinemergencyoperationsaretypicallyhierarchicallystructured,
where information flows upwards and decisions downwards. However, the operational
hierarchyisaffectedbythetypeofpersonnelavailableatanygiventime,suchthatdynamics
inresponsibilityandauthoritymustbeanticipated.Asanexample,policecommandersare
normallyinchargeoftheoveralloperation,butifnonewithsufficientauthorityispresent,a
fire-fighterofficerwillassumethisrole.Inaddition,personnelfromdifferentorganisations
and regions must be allowed to participate and collaborate without compromising the
securityofthenetwork.Thismakeskeymanagementforauthenticationandaccesscontrol
inparticular,atroublesometask.
Inacrisissituation,itislikelythatsomemedicaldatawillbeexchanged.Confidentiality
ofmedicaldataisrequiredbylawtoprotecttheprivacyofcitizens.However,intheeventofan
emergency,preservinglivesisconsideredmoreimportantthanpreservingprivacy.Ifconfidentiality
requirementshamperoperations,medicalstaffwillpleadjustcauseinordertoensureavailabilityof
data.Forthesamereasonusabilityisalsoimportant,assecuritymechanismssignificantlyhampering
theperformanceoffirstrespondersarenotlikelytobeused.
Foranytacticaloperationitisvitalthatcommandingnodes(e.g.squadleader)haveaccess
toasituationmapwiththecurrentlayoutofthenetwork(withoptionallygeographicalposition).
Thiscoupledwiththeneedforlowlatencyinroutediscoverymakesproactiveprotocolsseem
asthebetterchoice.
ThelimitedavailableresourcesofdevicesinMANETsareaprimeconcernwhendesigning
effectivesecuritymechanisms.Thisconstraintalsoappliestothefirstrespondercase,butnottothe
sameextent.DevicesforfirstrespondersarenotassumedtobeCOTS(CommercialOff-The-Shelf),
butratherspecificallydesignedtomeetcommunicationrequirementsandtowithstandenvironmental
stress.Itisthusconceivablethatdevicesforfirstresponderswillhavefarmoreresourcesthanhand- helddevicesdesignedforthecommonpublic.
3.3. Requirements Summary
Wedevisedintotal30securityrequirements(Tøndel,Jaatun,&Nyre,2009)relevantforadhoc
networksasusedinOASIS.Therequirementsrelevantfortheworkpresentedinthispaperis
theserequirementsispresentedinTable4.Inadditionweidentifiedrequirementsconcerning
e.g.physicalaccesstonodes,inputcontrolandcredentialquality.Therequirementsdifferfrom
therequirementssuggestedbyDahilletal.(Dahilletal.,2001)andSanzgirietal.(Sanzgiriet
al.,2002)inthattheycovermorethanjustrouting.Inourrequirementselicitationprocesswe
havealsofocusedonobjectives,assetsandthreats,whiletheymainlyfocusedonproblemswith
existingapproaches.OurrequirementsarealsomoredetailedthanthosepresentedbyZapata
andAsokan(Zapata&Asokan,2002)andWrona(Wrona,2002).Theentriesinthefinalcolumn
ofTable4referbacktotheidentifiedobjectivesorattacksasexemplifiedinTable3and2(see
Tøndeletal.(Tøndeletal.,2009)formoredetails).
Table 4. Selected security requirements
Nr. Requirement Source
R8 Networkaccess:AccesstotheOASISadhocnetworkshouldrequireauthentication. A2A3 R9 Strengthnetworkaccess:ThemechanismforaccesstotheOASISadhocnetworkshould
beabletowithstandextensivesecuritytestingbysecuritytestingprofessionals. A2A5 R10 Linkconfidentiality:Theconfidentialityofsensitiveinformationmustbeprotectedwhile
sentonthecommunicationlink. A3
R11 End-to-endconfidentiality:Theconfidentialityofsensitiveinformationshouldbeprotected
end-to-endduringcommunication. A3
R12 Encryptionalgorithms:Allencryptionmechanismsshouldbeimplementedwithwell
recognisedalgorithms. A3A4
R13 Encryptionkeys:Allkeysusedrelatedtoencryptionshouldhaveakeylengththatis
recognisedtoprovidehighprotection. A3A4
R14 Keymanagement:Allkeymanagementmechanismsshouldbewellknownandrecognised. A3A4 R16 Credentialcommunication:Theconfidentialityofaccesscredentialsmustbeprotectedend-
to-endduringcommunication. A4
R20 Transmissionerrors:Forallcommunicationitshouldbepossibletodetecttransmission
errors. A5-A9
R21 Integritytransmission:Integrityofcommunicationrelatedtoaccesscontrol(orpossibly
allcommunication)shouldbeprotectedwhilesentonthelinkinordertodetectdeliberate
changesbyattackers. A5-A9
R23 Detectionofmisbehavingnodes:TheOASISadhocnetworkshouldincludemechanisms
fordetectingmisbehavingnodes. A8
R26 Identitiesvs.accessrights:Mechanismsmustbeinplacethatensuresnodeuserscannot
edittheiridentitiesandbythatincreasetheiraccessrights. A6 R27 Identitiesandspoofing:Mechanismsshouldbeinplacethatensuresuserscannotedittheir
entitiesandbythatspoofasanotheruser. A6
R28 Participation:Theaccesscontrolmechanismtotheadhocnetworkshouldsupport
participationandcollaborationfrompolice,fireandmedicalprofessionalsfromthesameor
neighbouringdistricts. O4
R29 Decentralisation:Accesscontroltoadhocnetworkshouldworkwithoutanycentralised
nodes. O11
4. PRoToCoL oVERVIEw
Inthissectionweoutlinethemainfeaturesofourproposedprotocol.Wefirstprovideabasicoverview
oftheOLSRprotocolforMANETs,whichwebaseourspecificationon.Nextwedescribehowa
certificatehierarchyisassumedtobeorganisedandtheauthenticationandaccesscontrolprocedure
isaccomplished.Finally,wegiveabriefdescriptionofourlinkencryptionscheme.
4.1. optimised Link State Routing Protocol
TheOptimisedLinkStateRouting(OLSR)protocol(Jacquetetal.,2001,Clausen&Jacquet,2003)
isaproactiveprotocoldesignedforMANETs.TheprotocolintroducestheconceptofMulti-Point
Relay(MPR)flooding,whereonlydesignatednodesrebroadcastmessages.Eachnodeselectsasubset
ofitsneighbours,calledtheMPRset,suchthateverytwo-hopneighbourcanbereachedthroughat
leastoneMPR.ByrestrictingforwardingtoonlythenodesthathavebeenselectedasMPRbythe
originator,theMPRschemeallowsforanoptimisedpacketfloodingthatgreatlyreducesthenumber
ofbroadcastscomparedtothegeneral-purposeflooding.
TheprotocoldefinesHELLOmessagesforlocallinksensingandTopologyChange(TC)
messagesfornetworkwidetopologydiffusion.NodesadvertisetheirlinksetandMPRselection
throughperiodicbroadcastsofHELLOmessagescontainingalldirectlinkswithcorrespondingstatus
(e.g.symmetric,MPR,etc.).Atthereceivingend,themessagesareusedforlinksensing,determine
forwardingactions(whetherthenodeisMPRornot)andtobuildtwo-hopneighbourtopologythat
formsthebasisforMPRselection.ThenodealsomaintainsanMPRSelectorSetcontainingall
neighboursthathaveselectedthenodeasMPR.HELLOmessagesareintendedforneighboursonly
andareneverforwarded.
TopologyChange(TC)messagesareperiodicallyfloodedinthenetworktoallownodesto
buildacompleteroutingtable.TheprotocolrequiresthateverynodehavingbeenselectedMPR
mustbroadcastTCmessagescontainingatleastallneighboursintheMPRSelectorSet.Thisbeing
aminimum,additionallinksmaybeadvertisedforredundancy.
4.2. PKI
TheauthenticationmechanismofourprotocolisbasedonX.509certificates(Cooperetal.,
2008)andrequirestheestablishmentofacertificationauthority(CA)foreachorganisation
participatinginthenetwork.TheCAoperatesoff-line,i.e.doesnotparticipateintheMANET,
andisresponsibleforissuingcertificatestoallitsnodes.Thenumberofhierarchicallevelsand
theirstructure(geographical,organisational,etc.)isconfigurablebytheuser.However,iftwo
nodesthatdonotshareaCA(atsomelevel)aretoauthenticateeachother,atleastoneofthe
certificatesinthecertificatechainmustbecrosssigned,sothattheymayverifytheauthenticity
ofeachother’scertificate.Forfirstresponderorganisationsthatarelikelytocooperate,such
cross-certificationisrecommended.ThecertificatesmustincludeanX.509extensioncontaining
adescriptionofthenodeandthecertificate.
DistributionofCertificateRevocationLists(CRLs)isnottrivial,especiallywhenallowing
crosssignedcertificateauthorities.InordertolimitthesizeofCRLsandalsotheimpactoffailing
todistributeCRLs,weproposetolimitthevaliditytimeofcertificatestotypicallyafewmonths.
Theprocessmaybeautomatedaspartofdocking/re-chargingprocedureatthenode’shomelocation
(e.g.atthehospital).CAscouldhaveconsiderablylongervaliditytime(e.g.years)sincetheseare
notexposedinthesamewayasmobilenodes.
Inordertoprovidenetworkaccesstonodesthatdonotpossessregularfirstrespondercertificates,
weproposeaspecialshort-termcertificate.Thistypeofcertificateisissuedonscenebyregular
authorisednodes.Whetherallregularnodes,oronlyasubsetofsuch(e.g.high-rankingofficers)
areauthorisedtoissueshort-termcertificatesisconfigurable.Withvaliditytimesetto24hours,the
needforCRLsisdiminished.
4.3. Authentication, Key Establishment and Access Control
Inordertoverifytheauthenticityofcertificates(i.e.proveownership)achallenge-responseprotocol
isproposed.Theprocess(depictedinFigure1)isinitiatedwheneveranewlinkisdiscovered(through
thereceptionofaHELLOmessage)andconsistsoffourmainsteps:
1. NodeBgeneratesachallenge(CKeyID)fornodeA;
2. NodeAsignsthechallenge(CKeyID)andgeneratesanewone(RKeyID)fornodeB;
3. NodeBverifiestheresponsefromAandgeneratesakey;
4. NodeAverifiestheresponsefromBandstoresthereceivedkey.
Thisprocessservesthreemainfunctionsasit1)providesmutualauthentication,2)distribute
theauthorisednodedescription(containedinthecertificate),and3)establishesasharedsecretkey.
Afterasuccessfulauthentication,theaccesscontrolmechanismutilisesthenodedescription
containedinthecertificateextensiontodeterminetheaccessleveltograntthenode.Wehavedefined
twolevels;whereoneisgrantedtoallnodeswithregularcertificates,whiletheotherisgrantedto
nodeswithtemporaryshort-termcertificates.ThelattergroupisnotallowedtobeselectedMPR
andmaythereforenotinterfereinroutingprotocolupdates(exceptfromtheonesoriginatingfrom
thenodeitself).
4.4. Link Encryption
Weproposeaneffectivesymmetricencryptionschemewheremessagesareencryptedonaperlink
basis.Theschemereliesontheestablishmentofsymmetrickeysforeachpairofneighbours.These
keysaredenotedlink keysandareestablishedduringthefinalstepoftheauthenticationandkey
establishmentprocessdescribedpreviously.
Toreducetheprocessingoverheadforintermediatenodes,thepayloadisencryptedonceusing
aone-timekey,whichinturnisencryptedusingthelinkkey.Thus,intermediateforwardingnodes
needonlydecryptandre-encrypttheheaderfield,ratherthantheentirepacket.Additionally,to
accommodatebroadcastmessages,multipleheadersareallowedsuchthatallneighbouringnodes
maydecrypttheone-timekeyusingtheirlinkkey.Thiswayoneneednotrepeattheentirepayload,
onlytheminimalheader.
Figure 1. Key establishment process
5. PRoToCoL dESCRIPTIoN
OurprotocoldescriptionisbasedontheOLSRprotocolandisaimedatpointingoutwherethetwo
protocolsdiffer.Hence,wewilloftenrefertotheOLSRspecification(RFC3626(Clausen&Jacquet,
2003))onmattersthatarenottreatedspecificallybyoursecurityextension.
5.1. Message Formats and Processing
AllexistingOLSRmessagessuchasTCandHELLOmessagesaredistributedinbroadcastmode
withoutexplicitaddressesofrecipients.Forourlinkencryptionschemewethereforedefinethe
generalencryptedmessageformat(Figure2)toallowmultiplerecipientsoftheperlinkencrypted
message.Thesummarysectioncontainsthenumberofkeyblocks(KB_counter)andthetypeand
lengthoftheMessageAuthenticationCode(MAC)(MAC_length).ThereisoneKeyBlockforeach
recipientcontainingakeyidentifier(Key_id)andtheone-timekeyencryptedwiththecorresponding
key.TheMACandencryptedpayloadconstitutestherestofthemessage.Byusingkeyidentifiers
insteadofIPaddresses,theprotocoldoesnotallowadversariestoeavesdroponthecommunication
inordertogetanoverviewofparticipatingnodes.
TheencryptedHELLOmessagedefinedforourprotocolisidenticaltotheoriginalHELLO
messageformatafterdecryption.TheencryptedTCmessagescontainanodedescriptioninaddition
tothealreadyspecifiedsolution(seeFigure6).
ThemessageformatsforourchallengeresponseprotocolaregiveninFigures3,4,and5.The
keyidentifiers(CKeyID/RKeyID)areselectedrandomlyandthereforealsoserveasnonces.
Figure 2. General encrypted message format encapsulating HELLO and TC messages
Figure 3. Challenge message format
5.2. Information Bases
WeextendtheinformationbasesforOLSRtoincludelinkkeys,nodedescriptionsandaccess
level.Thelinksettupleisextendedtoincludelocalandneighbourkeyidentifiers(L_local_KID,
L_neighbour_KID)andkeyvalue(L_key_value).Thelocalkeyidentifierisusedwhenevera
messageissenttoanode,whiletheneighbourkeyidentifierisusedwheneveramessageisreceived.
Localkeyidentifiersmustbeuniqueforeachnode,whileneighbourkeyidentifiersneednot.The
neighbourhoodinformationbaseisextendedtoincludetheauthenticatednodedescriptionextracted
fromthecertificateduringkeyestablishment.
Figure 4. Response message format
Figure 5. KEY message format
Figure 6. TC message format after decryption